Reducing the number of block masks required for programming multiple access control list in an associative memory

ABSTRACT

Mechanisms for reducing the number of block masks required for programming multiple access control lists in an associative memory are disclosed. A combined ordering of masks corresponding to multiple access control lists (ACLs) is typically identified, with the multiple ACLs including n ACLs. An n-dimensional array is generated, wherein each axis of the n-dimensional array corresponds to masks in their requisite order of a different one of the multiple ACLs. The n-dimensional array progressively identifies numbers of different masks required for subset orderings of masks required for subsets of the multiple ACLs. The n-dimensional array is traversed to identify a sequence of masks corresponding to a single ordering of masks including masks required for each of the multiple ACLs.

TECHNICAL FIELD

One embodiment of the invention relates to communications and computersystems, especially networked routers, packet switching systems, andother devices using associative memories (e.g., content-addressablememories); and more particularly, one embodiment relates to reducing thenumber of block masks required for programming multiple access controllists in an associative memory.

BACKGROUND

The communications industry is rapidly changing to adjust to emergingtechnologies and ever increasing customer demand. This customer demandfor new applications and increased performance of existing applicationsis driving communications network and system providers to employnetworks and systems having greater speed and capacity (e.g., greaterbandwidth). In trying to achieve these goals, a common approach taken bymany communications providers is to use packet switching technology.Increasingly, public and private communications networks are being builtand expanded using various packet technologies, such as InternetProtocol (IP).

A network device, such as a switch or router, typically receives,processes, and forwards or discards a packet based on one or morecriteria, including the type of protocol used by the packet, addressesof the packet (e.g., source, destination, group), and type or quality ofservice requested. Additionally, one or more security operations aretypically performed on each packet. But before these operations can beperformed, a packet classification operation must typically be performedon the packet.

Packet classification as required for, inter alia, access control lists(ACLs) and forwarding decisions, is a demanding part of switch androuter design. The packet classification of a received packet isincreasingly becoming more difficult due to ever increasing packet ratesand number of packet classifications. For example, ACLs typicallyrequire matching packets on a subset of fields of the packet header orflow label, with the semantics of a sequential search through the ACLrules.

Access control and quality of service features are typically implementedbased on programming contained in one or more ACLs. To implementfeatures in hardware, these multiple ACL lists are typically combinedinto one list, which can be used for programming and associative memory.Various techniques are known for combining these items, such as BinaryDecision Diagram (BDD) and Order Dependent Merge (ODM). For example, ifthere are two ACLs A (having entries A1 and A2) and B (having entries B1and B2, then ODM combines these original lists to produce one of twocross-product equivalent ordered lists, each with four entries: A1B1,A1B2, A2B1, and A2B2; or A1B1, A2B1, A1B2, and A2B2. These four entriescan then be programmed into an associative memory and an indication of acorresponding action to be taken placed in an adjunct memory. Lookupoperations can then be performed on the associative and adjunct memoriesto identify a corresponding action to use for a particular packet beingprocessed. There are also variants of ODM and BDD which may filter outthe entries which are unnecessary as their values will never allow themto be matched. Merged entries which are order independent can be sortedbased on common masks, and programmed into the block masks of anassociative memory (which typically does not significantly reduce thenumber of block masks required), or can be programmed in any order in anassociative memory where each entry has its own mask field.Nonconsecutive merged entries which remain order dependent must maintaintheir ordering when programmed into an associative memory, and thuscannot be rearranged to reduce or eliminate redundant masks when entriesare masked using block masks. Also, one or more of these techniques mayproduce an increased number of entries and/or block masks required forprogramming the resultant entries into an associative memory.

An example of an associative memory using block masks is described inRoss et al., “Block Mask Ternary CAM”, U.S. Pat. No. 6,389,506, issuedMay 12, 2002, which is hereby incorporated by reference. In a nutshell,a block mask is a mask that is applied to each entry of a block ofentries. Such an associative memory typically has numerous blocks andcorresponding block masks. FIG. 1A shows one such prior art associativememory 100, having multiple blocks 110, 120, and 130, each withcorresponding block masks 111, 121, and 131 for blocks of associativememory entries 112, 122, and 132.

FIG. 1B illustrates a prior art approach for combining masks of two ACLs150 and 152, having masks as shown with their corresponding requiredordering. The result of a first approach for combining these lists isshown in ordering 155, in which entries of ACL-2 152 are concatenated atthe end of entries of ACL-1 150 to produce an ordering that requires mmasks, where m is the sum of the number of masks required for each ofACLs 150 and 152. The results 156 and 157 of a second approach issimilar, but allows the mask at the end of a list to be used by bothACLs 150 and 152 if the last required mask of one ACL is the same maskas first required by the other ACL, then the number of masks required ism minus a small number of overlapping masks. However, this does notsignificantly reduce the overall number of masks required, which can bea problem as the number of different masks in the required order isdirectly correlated to the number of ACL entries which can be stored ina block mask associative memory. Thus, an efficient way of allocatingthese masks is desired.

SUMMARY

Disclosed are, inter alia, methods, apparatus, data structures,computer-readable medium, mechanisms, and means for reducing the numberof block masks required for programming multiple access control lists inan associative memory.

One embodiment identifies a combined ordering of masks corresponding tomultiple access control lists (ACLs), the multiple ACLs including nACLs. A required ordering of masks for each of the n ACLs is identified.An n-dimensional array is generated, wherein each axis of then-dimensional array corresponds to masks in their requisite order of adifferent one of the multiple ACLs. The n-dimensional arrayprogressively identifies numbers of different masks required for subsetorderings of masks required for subsets of the multiple ACLs. Then-dimensional array is traversed to identify a sequence (e.g., the orderor reverse order) of masks corresponding to a single ordering of masksincluding masks required for each of the multiple ACLs. The singleordering of masks maintains the ordering of masks required for each ofthe multiple ACLs with one or more masks corresponding to a differentACL or other feature in between one or more consecutive masks of an ACLof the multiple ACLs.

In one embodiment, a last position identified by a last column and lastrow of the array identifies the number of different masks required forthe single ordering of masks. In one embodiment, the matrix is traversedbased on said numbers of different masks required for subset orderingsof masks required for subsets of the multiple ACLs. One embodimentmaintains indications from where said numbers of different masksrequired for subset orderings of masks required for subsets of theplurality of ACLs are generated, and the n-dimensional array istraversed based on said indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of theplurality of ACLs are generated One embodiment populates multiple blockmasks of an associative memory with said masks required for the multipleACLs such that the single ordering of masks is produced in theassociative memory. Rather than combining all n ACLs at a time when n isgreater than two, one embodiment successively combines two ACLstogether, then combines that result with a next ACL, and so on.

One embodiment identifies a combined ordering of masks corresponding toa first ACL and a second ACL. A first ordering of masks required for thefirst ACL is identified. A second ordering of masks required the secondACL is identified. A matrix of the first and second orderings of masksis generated, with the matrix progressively identifying numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs. The matrix is traversed toidentify a sequence (e.g., the order or reverse order) of maskscorresponding to a single ordering of masks including masks required forthe first ACL and the second ACL. The single ordering of masks maintainsthe first ordering and second orderings of masks with one or more maskscorresponding to a different ACL or other feature in between one or moreconsecutive masks of the first and second ACLs.

In one embodiment, a last position identified by a last column and lastrow of the matrix identifies the number of different masks required forthe single ordering of masks. In one embodiment, the matrix is traversedbased on said numbers of different masks required for subset orderingsof masks required for subsets of the first and second ACLs. Oneembodiment maintains indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of thefirst and second ACLs are generated, and the matrix is traversed basedon said indications from where said numbers of different masks requiredfor subset orderings of masks required for subsets of the first andsecond ACLs are generated. One embodiment populates multiple block masksof an associative memory with said masks required for the first andsecond ACLs such that the single ordering of masks is produced in theassociative memory.

BRIEF DESCRIPTION OF THE DRAWINGS

The appended claims set forth the features of the invention withparticularity. The invention, together with its advantages, may be bestunderstood from the following detailed description taken in conjunctionwith the accompanying drawings of which:

FIGS. 1A-B are block diagrams illustrating a prior art associativememory with block masks and prior art approaches for combining masksfrom two access control lists;

FIGS. 2A-2D illustrate the generation as performed in one embodiment ofan array/matrix progressively identifying the number of different masksrequired for subset orderings of masks required for subsets of multipleACLs;

FIGS. 2E-F illustrate the traversal as performed in one embodiment of anarray/matrix to identify a mask ordering;

FIGS. 3A-C illustrate an array/matrix generated and traversed in oneembodiment to identify a mask ordering;

FIG. 4A is a flow diagram illustrating a process used in one embodimentfor generating and traversing an array/matrix;

FIG. 4B is a flow diagram illustrating a process used in one embodimentfor generating and traversing an array/matrix;

FIG. 5 illustrates pseudo-code used in one embodiment for generating andtraversing an array/matrix; and

FIGS. 6A-C are block diagrams of various exemplary systems including oneor more embodiments for reducing the number of block masks required forprogramming multiple access control lists in an associative memoryand/or for performing lookup operations on the programmed associativememories.

DETAILED DESCRIPTION

Disclosed are, inter alia, methods, apparatus, data structures,computer-readable medium, mechanisms, and means for reducing the numberof block masks required for programming multiple access control lists inan associative memory.

Embodiments described herein include various elements and limitations,with no one element or limitation contemplated as being a criticalelement or limitation. Each of the claims individually recites an aspectof the invention in its entirety. Moreover, some embodiments describedmay include, but are not limited to, inter alia, systems, networks,integrated circuit chips, embedded processors, ASICs, methods, andcomputer-readable medium containing instructions. One or multiplesystems, devices, components, etc. may comprise one or more embodiments,which may include some elements or limitations of a claim beingperformed by the same or different systems, devices, components, etc.The embodiments described hereinafter embody various aspects andconfigurations within the scope and spirit of the invention, with thefigures illustrating exemplary and non-limiting configurations.

As used herein, the term “packet” refers to packets of all types or anyother units of information or data, including, but not limited to, fixedlength cells and variable length packets, each of which may or may notbe divisible into smaller packets or cells. The term “packet” as usedherein also refers to both the packet itself or a packet indication,such as, but not limited to all or part of a packet or packet header, adata structure value, pointer or index, or any other part or direct orindirect identification of a packet or information associated therewith.For example, often times a router operates on one or more fields of apacket, especially the header, so the body of the packet is often storedin a separate memory while the packet header is manipulated, and basedon the results of the processing of the packet (i.e., the packet headerin this example), the entire packet is forwarded or dropped, etc.Additionally, these packets may contain one or more types ofinformation, including, but not limited to, voice, data, video, andaudio information. The term “item” is used generically herein to referto a packet or any other unit or piece of information or data, a device,component, element, or any other entity. The phrases “processing apacket” and “packet processing” typically refer to performing some stepsor actions based on the packet contents (e.g., packet header or otherfields), and such steps or action may or may not include modifying,storing, dropping, and/or forwarding the packet and/or associated data.

The term “system” is used generically herein to describe any number ofcomponents, elements, sub-systems, devices, packet switch elements,packet switches, routers, networks, computer and/or communicationdevices or mechanisms, or combinations of components thereof. The term“computer” is used generically herein to describe any number ofcomputers, including, but not limited to personal computers, embeddedprocessing elements and systems, control logic, ASICs, chips,workstations, mainframes, etc. The term “processing element” is usedgenerically herein to describe any type of processing mechanism ordevice, such as a processor, ASIC, field programmable gate array,computer, etc. The term “device” is used generically herein to describeany type of mechanism, including a computer or system or componentthereof. The terms “task” and “process” are used generically herein todescribe any type of running program, including, but not limited to acomputer process, task, thread, executing application, operating system,user process, device driver, native code, machine or other language,etc., and can be interactive and/or non-interactive, executing locallyand/or remotely, executing in foreground and/or background, executing inthe user and/or operating system address spaces, a routine of a libraryand/or standalone application, and is not limited to any particularmemory partitioning technique. The steps, connections, and processing ofsignals and information illustrated in the figures, including, but notlimited to any block and flow diagrams and message sequence charts, maytypically be performed in the same or in a different serial or parallelordering and/or by different components and/or processes, threads, etc.,and/or over different connections and be combined with other functionsin other embodiments, unless this disables the embodiment or a sequenceis explicitly or implicitly required (e.g., for a sequence of read thevalue, process the value—the value must be obtained prior to processingit, although some of the associated processing may be performed priorto, concurrently with, and/or after the read operation). Furthermore,the term “identify” is used generically to describe any manner ormechanism for directly or indirectly ascertaining something, which mayinclude, but is not limited to receiving, retrieving from memory,determining, defining, calculating, generating, etc.

Moreover, the terms “network” and “communications mechanism” are usedgenerically herein to describe one or more networks, communicationsmediums or communications systems, including, but not limited to theInternet, private or public telephone, cellular, wireless, satellite,cable, local area, metropolitan area and/or wide area networks, a cable,electrical connection, bus, etc., and internal communications mechanismssuch as message passing, interprocess communications, shared memory,etc. The term “message” is used generically herein to describe a pieceof information which may or may not be, but is typically communicatedvia one or more communication mechanisms of any type.

The term “storage mechanism” includes any type of memory, storage deviceor other mechanism for maintaining instructions or data in any format.“Computer-readable medium” is an extensible term including any memory,storage device, storage mechanism, and other storage and signalingmechanisms including interfaces and devices such as network interfacecards and buffers therein, as well as any communications devices andsignals received and transmitted, and other current and evolvingtechnologies that a computerized system can interpret, receive, and/ortransmit. The term “memory” includes any random access memory (RAM),read only memory (ROM), flash memory, integrated circuits, and/or othermemory components or elements. The term “storage device” includes anysolid state storage media, disk drives, diskettes, networked services,tape drives, and other storage devices. Memories and storage devices maystore computer-executable instructions to be executed by a processingelement and/or control logic, and data which is manipulated by aprocessing element and/or control logic. The term “data structure” is anextensible term referring to any data element, variable, data structure,database, and/or one or more organizational schemes that can be appliedto data to facilitate interpreting the data or performing operations onit, such as, but not limited to memory locations or devices, sets,queues, trees, heaps, lists, linked lists, arrays, tables, pointers,etc. A data structure is typically maintained in a storage mechanism.The terms “pointer” and “link” are used generically herein to identifysome mechanism for referencing or identifying another element,component, or other entity, and these may include, but are not limitedto a reference to a memory or other storage mechanism or locationtherein, an index in a data structure, a value, etc. The term“associative memory” is an extensible term, and refers to all types ofknown or future developed associative memories, including, but notlimited to binary and ternary content addressable memories, hash tables,TRIE and other data structures, etc. Additionally, the term “associativememory unit” may include, but is not limited to one or more associativememory devices or parts thereof, including, but not limited to regions,segments, banks, pages, blocks, sets of entries, etc.

The term “one embodiment” is used herein to reference a particularembodiment, wherein each reference to “one embodiment” may refer to adifferent embodiment, and the use of the term repeatedly herein indescribing associated features, elements and/or limitations does notestablish a cumulative set of associated features, elements and/orlimitations that each and every embodiment must include, although anembodiment typically may include all these features, elements and/orlimitations. In addition, the phrase “means for xxx” typically includescomputer-readable medium containing computer-executable instructions forperforming xxx.

In addition, the terms “first,” “second,” etc. are typically used hereinto denote different units (e.g., a first element, a second element). Theuse of these terms herein does not necessarily connote an ordering suchas one unit or event occurring or coming before another, but ratherprovides a mechanism to distinguish between particular units.Additionally, the use of a singular tense of a noun is non-limiting,with its use typically including one or more of the particular thingrather than just one (e.g., the use of the word “memory” typicallyrefers to one or more memories without having to specify “memory ormemories,” or “one or more memories” or “at least one memory”, etc.).Moreover, the phrases “based on x” and “in response to x” are used toindicate a minimum set of items x from which something is derived orcaused, wherein “x” is extensible and does not necessarily describe acomplete list of items on which the operation is performed, etc.Additionally, the phrase “coupled to” is used to indicate some level ofdirect or indirect connection between two elements or devices, with thecoupling device or devices modifying or not modifying the coupled signalor communicated information. The term “subset” is used to indicate agroup of all or less than all of the elements of a set. The term“subtree” is used to indicate all or less than all of a tree. Moreover,the term “or” is used herein to identify a selection of one or more,including all, of the conjunctive items.

Disclosed are, inter alia, methods, apparatus, data structures,computer-readable medium, mechanisms, and means for reducing the numberof block masks required for programming multiple access control lists inan associative memory.

One embodiment identifies a combined ordering of masks corresponding tomultiple access control lists (ACLs), the multiple ACLs including nACLs. A required ordering of masks for each of the n ACLs is identified.An n-dimensional array is generated, wherein each axis of then-dimensional array corresponds to masks in their requisite order of adifferent one of the multiple ACLs. The n-dimensional arrayprogressively identifies numbers of different masks required for subsetorderings of masks required for subsets of the multiple ACLs. Then-dimensional array is traversed to identify a sequence (e.g., the orderor reverse order) of masks corresponding to a single ordering of masksincluding masks required for each of the multiple ACLs. The singleordering of masks maintains the ordering of masks required for each ofthe multiple ACLs with one or more masks corresponding to a differentACL or other feature in between one or more consecutive masks of an ACLof the multiple ACLs.

In one embodiment, a last position identified by a last column and lastrow of the array identifies the number of different masks required forthe single ordering of masks. In one embodiment, the matrix is traversedbased on said numbers of different masks required for subset orderingsof masks required for subsets of the multiple ACLs. One embodimentmaintains indications from where said numbers of different masksrequired for subset orderings of masks required for subsets of theplurality of ACLs are generated, and the n-dimensional array istraversed based on said indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of theplurality of ACLs are generated One embodiment populates multiple blockmasks of an associative memory with said masks required for the multipleACLs such that the single ordering of masks is produced in theassociative memory. Rather than combining all n ACLs at a time when n isgreater than two, one embodiment successively combines two ACLstogether, then combines that result with a next ACL, and so on.

One embodiment identifies a combined ordering of masks corresponding toa first ACL and a second ACL. A first ordering of masks required for thefirst ACL is identified. A second ordering of masks required the secondACL is identified. A matrix of the first and second orderings of masksis generated, with the matrix progressively identifying numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs. The matrix is traversed toidentify a sequence (e.g., the order or reverse order) of maskscorresponding to a single ordering of masks including masks required forthe first ACL and the second ACL. The single ordering of masks maintainsthe first ordering and second orderings of masks with one or more maskscorresponding to a different ACL or other feature in between one or moreconsecutive masks of the first and second ACLs.

In one embodiment, a last position identified by a last column and lastrow of the matrix identifies the number of different masks required forthe single ordering of masks. In one embodiment, the matrix is traversedbased on said numbers of different masks required for subset orderingsof masks required for subsets of the first and second ACLs. Oneembodiment maintains indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of thefirst and second ACLs are generated, and the matrix is traversed basedon said indications from where said numbers of different masks requiredfor subset orderings of masks required for subsets of the first andsecond ACLs are generated. One embodiment populates multiple block masksof an associative memory with said masks required for the first andsecond ACLs such that the single ordering of masks is produced in theassociative memory.

Turning to the figures, FIGS. 2A-2D illustrate the generation asperformed in one embodiment of an array/matrix progressively identifyingthe number of different masks required for subset orderings of masksrequired for subsets of multiple ACLs, and FIGS. 2E-F illustrate thetraversal as performed in one embodiment of an array/matrix to identifya mask ordering.

Illustrated in these figures is a cost array 200 generated for reducingthe number of block masks required for programming multiple accesscontrol lists in an associative memory. Note, the term “array” is usedherein in an extensible manner to refer to an array, matrix or otherdata structure. As shown, cost array 200 has a horizontal axiscorresponding to ACL-1 (201) which has four masks (A-D), with a requiredorder of A, B, C, and then D as shown on the horizontal axis. Cost array200 has a vertical axis corresponding to ACL-2 (202) which has fourmasks (A-D), with a required order of D, B, C, and then A as shown onthe vertical axis. Also, the first position of the cost array 200 isidentified as (0,0), as the first column and row is identified by ‘0’indicating no corresponding mask required. Thus, as shown in the firstcolumn and row of cost array 200, the cost (i.e., the number of masksrequired) is just the number of masks required for a single ACL, i.e.,ACL-1 (201) in the first row, and ACL-2 (202) in the first column. Thegeneration of the costs for combinations of the ACLs 201 and 202 willnow be described. Note, a mask can be shared in an associative memoryemploying block masks if a next entry uses the same mask and thereremain free entries in the particular block of entries corresponding tothe block mask.

As shown in FIG. 2A, the cost of position 211 is two, as it correspondsto two different masks (i.e., A and D) and thus the value of one isadded to the lesser of the immediate previously horizontal and verticalpositions. Thus, one plus one yields a cost of two for position 211.

As shown in FIG. 2B, more of cost array 200 has been generated. Asshown, the value of position 212 is four, as it corresponds to the samemask (i.e., D) in both ACL-1 (201)and ACL-2 (202), and thus the lesserof the immediate previously horizontal and vertical positions is thevalue used for this position. Thus, four plus zero yields a cost of fourfor position 212.

As shown in FIG. 2C, the cost of position 213 is five, as it correspondsto two different masks (i.e., D and C) and thus the value of one isadded to the lesser of the immediate previously horizontal and verticalpositions. Thus, four plus one yields a cost of five for position 213.

FIG. 2D illustrates the completed generation of cost array 200. Note,the values stored in cost array 200 progressively identify the numbersof different masks required for subset orderings of masks, with the lastcolumn and last row position identifying a minimum number of differentmasks required for combination of the n access control lists, where inFIGS. 2A-F, the value of n is two for ease of illustration. However,this same process is used in combining masks required for n ACLs bygenerating and traversing an n-dimensional array. Also, n ACLs could becombined by combining two ACLs to produced a combined ACL, and thenrepeatedly combining the combined ACL with a next ACL until all n ACLshave been combined, or some variant thereof.

FIG. 2E illustrates the traversal of generated cost array 200 foridentifying the ordering of masks, wherein the value of position 260identifies the number of masks (i.e., six in this example). Position 260corresponds to masks A and D, so either of these can be the last maskused. Then, to identify the reverse order (and thus the order) of masks,the traversal of cost array 200 begins at position 260, and follows aleast cost path (i.e., either go up or left to the lesser cost value, oreither if they are the same) through cost array 200 to the (0,0)position. This traversal path identifies the result and one or more maskorderings with the minimum number of different masks required (i.e.,resultant mask order 261 for this example). Also, when using ann-dimensional array, this same traversal process is used with thetraversal occurring in n dimensions.

As shown, in FIG. 2E, this inverse ordering is AD or DA, followed by C(the path goes vertical so take the value from the destination column),followed by C (the path goes horizontal so take the value from thedestination row), followed by BBDA. Thus, removing the adjacentredundant values yields the ordering of ADBCAD or ADBCDA.

FIG. 2F shows a different traversal through the same cost array 200,which generates results 262 of DABCAD or DABCDA. Thus, as expected, sixmasks in a required order are generated irregardless of the least costpath traversed.

FIGS. 3A-C illustrate an array/matrix generated and traversed in oneembodiment to identify a mask ordering. As shown in these figures, thecost array keeps track of from where the particular least cost valuesare derived. Although this may require additional storage, it makestraversal of the matrix more efficient. Also, it may produce an endresult with fewer masks than that produced by the traversal illustratedin FIGS. 2E-F, as the traversal based on this derivation information canavoid a non-optimal path through the array induced when the traversalpath is determined based only the information local to a particularpoint in the array.

Turning to FIG. 3A, cost array 300 is generated is the same mannerpreviously described or an another manner for ACLs 301 and 302. Note,for illustrative purposes, an additional required mask of D has beenadded to ACL (when compared to ACL 201 of FIGS. 2A-F). Also, asillustrated, one embodiment maintains indications of from where thenumbers of different masks are derived.

As shown in FIG. 3A, one embodiment uses an n-tuple or vector toidentify which previous location in the array/matrix was used inderiving the value at a position. For example, tuple (1,0) 305identifies that the previous position in the same row was used; tuple(0,1) 306 identifies that the previous position in the same column wasused; tuple (1,1) 307 identifies that the position in the previous rowand previous column was used; and tuple (2,0) 308 identifies that twoprevious positions in the same row was used.

FIG. 3B visually illustrates these vectors used in one embodiment, withtheir corresponding tuple values represented from FIG. 3A.

As shown in FIG. 3C, maintaining the indications from where the maskcosts are derived can make identification of the resultant mask ordervery efficient. Starting with the last position 311, and traversing costarray 300 based on the vectors/tuples identifies the reverse mask orderof masks ADCBAD (311-316). Note, for ease of illustration, therepresentation of the vectors not used in the traversal (shown in FIG.3B) are not reproduced in FIG. 3C. The desired resultant mask order 320is thus: DABCDA.

FIG. 4A illustrates a process used in one embodiment for identifying acombined ordering of masks corresponding to multiple access controllists (ACLs), the multiple ACLs including n ACLs. Processing beings withprocess block 400, and proceeds to process block 402, wherein a requiredordering of masks for each of the n ACLs is identified. In process block404, an n-dimensional array is generated, wherein each axis of then-dimensional array corresponds to masks in their requisite order of adifferent one of the multiple ACLs. The n-dimensional arrayprogressively identifies numbers of different masks required for subsetorderings of masks required for subsets of the multiple ACLs. In oneembodiment, a last position identified by a last column and last row ofthe array identifies the number of different masks required for thesingle ordering of masks. One embodiment maintains indications of wherethe numbers of different masks are derived.

Next, in process block 406, the n-dimensional array is traversed toidentify a sequence (e.g., the order or reverse order) of maskscorresponding to a single ordering of masks including masks required foreach of the multiple ACLs. The single ordering of masks maintains theordering of masks required for each of the multiple ACLs with one ormore masks corresponding to a different ACL or other feature in betweenone or more consecutive masks of an ACL of the multiple ACLs. In oneembodiment, the array is traversed based on said numbers of differentmasks required for subset orderings of masks required for subsets of themultiple ACLs. In one embodiment, the array is traversed based on theindications of where the numbers of different masks are derived.

Finally, in process block 408, the multiple block masks of anassociative memory are populated with the masks required for themultiple ACLs. Processing is complete as indicated by process block 410.

FIG. 4B illustrates a process used in one embodiment for a combinedordering of masks corresponding to a first ACL and a second ACL.Processing beings with process block 440, and proceeds to process block442, wherein a first ordering of masks required for the first ACL isidentified, and a second ordering of masks required the second ACL isidentified. Next, in process block 444, a matrix of the first and secondorderings of masks is generated, with the matrix progressivelyidentifying numbers of different masks required for subset orderings ofmasks required for subsets of the first and second ACLs. One embodimentmaintains indications of where the numbers of different masks arederived.

In process block 446, the matrix is traversed to identify a sequence(e.g., the order or reverse order) of masks corresponding to a singleordering of masks including masks required for the first ACL and thesecond ACL. The single ordering of masks maintains the first orderingand second orderings of masks with one or more masks corresponding to adifferent ACL or other feature in between one or more consecutive masksof the first and second ACLs. In one embodiment, a last positionidentified by a last column and last row of the matrix identifies thenumber of different masks required for the single ordering of masks. Inone embodiment, the matrix is traversed based on said numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs. In one embodiment, the matrix istraversed based on said indications of where the numbers of differentmasks are derived.

One embodiment populates multiple block masks of an associative memorywith said masks required for the first and second ACLs such that thesingle ordering of masks is produced in the associative memory.

Finally, in process block 448, the multiple block masks of anassociative memory are populated with the masks required for themultiple ACLs. Processing is complete as indicated by process block 450.

Another way of viewing the identification of the ordering of masks is todefine a cost function Cost(X, n), where X is the ACL, MAX is themaximum number of value entries with each mask entry. Thus,Cost(X,n)=0 if n=0 Cost(X,n−j)+1 where x _(n) =x _(n−1) = . . . =x_(n−j+1) and 0≦j≦MAX if n>0Problem statement: Given the ACLsX₁=<x₁₁,x₁₂,x₁₃, . . . x_(1n) ₁ >X₂=<x₂₁,x₂₂,x₂₃, . . . ,x_(2n) ₂ >. . .X_(m)=<x_(m1),x_(m2),x_(m3), . . . ,x_(mn) _(m) >Compute Z, which is an ordering of the aces in X₁, X₂, . . . , X_(m)whereZ=<z₁,z₂, . . . ,z_((n1+n2+ . . . +n) _(m) ₎>such that∀xij1≦i≦m,1≦j≦n_(i)∃z_(k) where 1≦k≦(n₁+n₂+ . . . +n_(m)) andif x_(ij)=z_(a) and x_(ik)=z_(b) and j<k then a<band Cost(Z,n₁+n₂+n₃+ . . . +n_(m)) is minimal.Thus, for two ACLs, m=2 in the above problem statement and it reduces asfollows.fs(X,m)=0 if m=0 j where x _(m) =x _(m−1) = . . . =x _(m−j+)1 and1≦j≦MAX

$\begin{matrix}{{{V\left( {X,{Y:m},n} \right)} = {{{{{Min}\left( {{V\left( {X,{Y:{m - a}},n} \right)},{V\left( {X,{Y:m},{n - b}} \right)}} \right)} + {{where}\mspace{14mu} x_{m}}} \neq {{y_{n}\mspace{14mu}{\underset{{\forall i},j,{{i + j} \leq {MAX}},{i \leq a},{j \leq b}}{Min}\left( {V\left( {X,{Y:{m - i}},{n - j}} \right)} \right)}} + {1\mspace{14mu}{where}\mspace{14mu} x_{m}}}} = {{y_{n}\mspace{14mu}{where}\mspace{14mu} a} = {f_{s}\left( {X,m} \right)}}}},{b = {f_{s}\left( {Y,n} \right)}}} & {{Equation}\mspace{14mu} 1}\end{matrix}$For two ACLs, X₁ and X₂, m=2 and the solution to the above recurrencerelation V(X₁, X₂: x_(1n) ₁ , x_(2n) ₂ ) gives the optimal number ofmasks required. FIG. 5 illustrates pseudo-code 500 for generating andtraversing a matrix to identify the ordering of the masks to use. Theprocess illustrated in pseudo-code 400 is a formalization of thatpreviously described herein, so this discussion will not be repeated.

The time requirement for the algorithm [Min_Masks andFind_Optimized_ACL] is O(mn) where m is the number of aces in ACL_(a)and n is the number of aces in ACL_(b). The space requirement is O(mn).

This algorithm can be easily extended to more than two ACLs asillustrated in the pseudo-code below. Using the above approach the timerequirement is O(m₁m₂m₃ . . . m_(n)) where ACL_(a) ha m₁ aces, ACL_(b)has m₂ aces . . . and ACL_(n) has m_(n) aces. The space requirement isO(m₁m₂ . . . m_(n)).

Result

NULL

for (i=1; i<no of ACLs; i++)

Result

{Min_Masks(Result, Acl_(i)); Find_Optimized_Acl(Result, ACL_(i))};

With the above the time requirement is the order of

$O\left( {\sum\limits_{j = 1}^{n - 1}{{mj} \cdot {\sum\limits_{i = {j + 1}}^{n}{mi}}}} \right)$which is O(m³) when m₁=m₂= . . . =m_(n) and the space requirement isO(nm²).

FIGS. 6A-F are block diagrams of various exemplary systems including oneor more embodiments for reducing the number of block masks required forprogramming multiple access control lists in an associative memoryand/or for performing lookup operations on the programmed associativememories. First, FIG. 6A illustrates one embodiment of a system, whichmay be part of a router or other communications or computer system, fordetermining a reduced number of block masks, for programmingcorresponding entries and block masks in one or more associativememories, and for performing lookup operations to produce results whichcan be used in the processing of packets. In one embodiment, controllogic 610 determines the required ordering of block masks for multipleACLs and, via signals 611, programs and updates associative memory ormemories 615. In one embodiment, control logic 610 also programs memory620 via signals 623. In one embodiment, control logic 610 includescustom circuitry, such as, but not limited to discrete circuitry, ASICs,memory devices, processors, etc.

In one embodiment, packets 601 are received by packet processor 605. Inaddition to other operations (e.g., packet routing, security, etc.),packet processor 605 typically generates one or more items, including,but not limited to one or more packet flow identifiers based on one ormore fields of one or more of the received packets 601 and possibly frominformation stored in data structures or acquired from other sources.Packet processor 605 typically generates a lookup value 603 which isprovided to control logic 610 for providing control and data informationto associative memory or memories 615, which perform lookup operationsand generate one or more results 617. In one embodiment, a result 617 isused is by memory 620 to produce a result 625. Control logic 610 thenrelays result 607, based on result 617 and/or result 625, to packetprocessor 605. In response, one or more of the received packets aremanipulated and forwarded by packet processor 605 as indicated bypackets 609. Note, results 617, 625 and 607 may include indications oferror conditions.

FIG. 6B illustrates one embodiment of a system, which may be part of arouter or other communications or computer system, for determining areduced number of block masks, for programming corresponding entries inone or more associative memories, and for performing lookup operationson the one or more associative memories. In one embodiment, controllogic 630 determines the required ordering of block masks for multipleACLs and, via signals 632, programs associative memory or memories 636.In addition, control logic 630 provides control and data information(e.g., lookup words, modification data, profile IDs, etc.) toassociative memory or memories 636, which perform lookup operations togenerate results and error signals 634, which are received by controllogic 630.

FIG. 6C illustrates one embodiment of a system 680, which may be part ofa router or other communications or computer system, for determining areduced number of block masks, for programming corresponding entries inone or more associative memories, and for performing lookup operationson the one or more associative memories. In one embodiment, system orcomponent 680 performs one or more processes corresponding to one of thediagrams illustrated herein or otherwise described herein.

In one embodiment, system 680 includes a processing element 681, memory682, storage devices 683, one or more block mask associative memories684, and an interface 685 for connecting to other devices, which arecoupled via one or more communications mechanisms 689 (shown as a busfor illustrative purposes). In one embodiment, processing element 681determines the required ordering of block masks for multiple ACLs andprograms the block masks of one or more associative memories 684.

Various embodiments of system 680 may include more or less elements. Theoperation of system 680 is typically controlled by processing element681 using memory 682 and storage devices 683 to perform one or moretasks or processes, such as programming and performing lookup operationsusing associative memory or memories 684. Memory 682 is one type ofcomputer readable medium, and typically comprises random access memory(RAM), read only memory (ROM), flash memory, integrated circuits, and/orother memory components. Memory 682 typically stores computer executableinstructions to be executed by processing element 681 and/or data whichis manipulated by processing element 681 for implementing functionalityin accordance with one embodiment of the invention. Storage devices 683are another type of computer readable medium, and typically comprisesolid state storage media, disk drives, diskettes, networked services,tape drives, and other storage devices. Storage devices 683 typicallystore computer executable instructions to be executed by processingelement 681 and/or data which is manipulated by processing element 681for implementing functionality in accordance with one embodiment of theinvention.

In one embodiment, processing element 681 provides control and datainformation (e.g., lookup words, modification data, profile IDs, etc.)to associative memory or memories 684, which perform lookup operationsto generate lookup results and possibly error indications, which arereceived and used by processing element 681 and/or communicated to otherdevices via interface 685.

In view of the many possible embodiments to which the principles of ourinvention may be applied, it will be appreciated that the embodimentsand aspects thereof described herein with respect to thedrawings/figures are only illustrative and should not be taken aslimiting the scope of the invention. For example and as would beapparent to one skilled in the art, many of the process block operationscan be re-ordered to be performed before, after, or substantiallyconcurrent with other operations. Also, many different forms of datastructures could be used in various embodiments. The invention asdescribed herein contemplates all such embodiments as may come withinthe scope of the following claims and equivalents thereof.

1. A method for identifying a combined ordering of masks correspondingto a plurality of access control lists (ACLs), the plurality of ACLsincluding n ACLs, with n being an integer greater than one, the methodcomprising: identifying a required ordering of masks for each of theplurality of ACLs; generating an n-dimensional array wherein each axisof the n-dimensional array corresponds to masks in their said requisiteorder of a different one of the plurality of ACLs, the n-dimensionalarray progressively identifying numbers of different masks required forsubset orderings of masks required for subsets of the plurality of ACLs;and traversing the n-dimensional array to identify a sequence of maskscorresponding to a single ordering of masks including masks required foreach of the plurality of ACLs, wherein the single ordering of masksmaintains the ordering of masks required for each of the plurality ofACLs with one or more masks corresponding to a different ACL or otherfeature in between one or more consecutive masks of an ACL of theplurality of ACLs.
 2. The method of claim 1, wherein a last positionidentified by a last column and last row of the array identifies thenumber of different masks required for the single ordering of masks. 3.The method of claim 1, wherein the n-dimensional array is traversedbased on said numbers of different masks required for subset orderingsof masks required for subsets of the plurality of ACLs.
 4. The method ofclaim 1, wherein said generating the n-dimensional array includesmaintaining indications from where said numbers of different masksrequired for subset orderings of masks required for subsets of theplurality of ACLs are generated; and wherein the n-dimensional array istraversed based on said indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of theplurality of ACLs are generated.
 5. The method of claim 1, comprisingpopulating a plurality of block masks of an associative memory with saidmasks required for the plurality of ACLs such that the single orderingof masks is produced in the associative memory.
 6. An apparatuscomprising one or more processors and a memory, wherein the memorystores one or more instructions that, when executed by the one or moreprocessors, perform steps for identifying a combined ordering of maskscorresponding to a plurality of access control lists (ACLs), theplurality of ACLs including n ACLs, with n being an integer greater thanone, said steps comprising: identifying a required ordering of masks foreach of the plurality of ACLs; generating an n-dimensional array whereineach axis of the n-dimensional array corresponds to masks in their saidrequisite order of a different one of the plurality of ACLs, then-dimensional array progressively identifying numbers of different masksrequired for subset orderings of masks required for subsets of theplurality of ACLs; and traversing the n-dimensional array to identify asequence of masks corresponding to a single ordering of masks includingmasks required for each of the plurality of ACLs, wherein the singleordering of masks maintains the ordering of masks required for each ofthe plurality of ACLs with one or more masks corresponding to adifferent ACL or other feature in between one or more consecutive masksof an ACL of the plurality of ACLs.
 7. The apparatus of claim 6, whereina last position identified by a last column and last row of the arrayidentifies the number of different masks required for the singleordering of masks.
 8. The apparatus of claim 6, wherein then-dimensional array is traversed based on said numbers of differentmasks required for subset orderings of masks required for subsets of theplurality of ACLs.
 9. The apparatus of claim 6, wherein said generatingthe n-dimensional array includes maintaining indications from where saidnumbers of different masks required for subset orderings of masksrequired for subsets of the plurality of ACLs are generated; and whereinthe n-dimensional array is traversed based on said indications fromwhere said numbers of different masks required for subset orderings ofmasks required for subsets of the plurality of ACLs are generated. 10.The apparatus of claim 6, wherein said steps comprise populating aplurality of block masks of an associative memory with said masksrequired for the plurality of ACLs such that the single ordering ofmasks is produced in the associative memory.
 11. An apparatus foridentifying a combined ordering of masks corresponding to a plurality ofaccess control lists (ACLs), the plurality of ACLs including n ACLs,with n being an integer greater than one, the method comprising: meansfor generating an n-dimensional array wherein each axis of then-dimensional array corresponds to masks in a required ordering for adifferent one of the plurality of ACLs with, the n-dimensional arrayprogressively identifying numbers of different masks required for subsetorderings of masks required for subsets of the plurality of ACLs; andmeans for traversing the n-dimensional array to identify a sequence ofmasks corresponding to a single ordering of masks including masksrequired for each of the plurality of ACLs, wherein the single orderingof masks maintains the ordering of masks required for each of theplurality of ACLs with one or more masks corresponding to a differentACL or other feature in between one or more consecutive masks of an ACLof the plurality of ACLs.
 12. The apparatus of claim 11, wherein a lastposition identified by a last column and last row of the arrayidentifies the number of different masks required for the singleordering of masks.
 13. The apparatus of claim 11, wherein said means fortraversing the n-dimensional array includes means for traversing then-dimensional array based on said numbers of different masks requiredfor subset orderings of masks required for subsets of the plurality ofACLs.
 14. The apparatus of claim 11, wherein said means for generatingthe n-dimensional array includes means for maintaining indications fromwhere said numbers of different masks required for subset orderings ofmasks required for subsets of the plurality of ACLs are generated; andwherein said means for traversing the n-dimensional array includes meansfor traversing the n-dimensional array based on said indications fromwhere said numbers of different masks required for subset orderings ofmasks required for subsets of the plurality of ACLs are generated. 15.The apparatus of claim 11, comprising means for populating a pluralityof block masks of an associative memory with said masks required for theplurality of ACLs such that the single ordering of masks is produced inthe associative memory.
 16. A method for identifying a combined orderingof masks corresponding to a first access control list (ACL) and a secondACL, the method comprising: identifying a first ordering of masksrequired for the first ACL; identifying a second ordering of masksrequired the second ACL; generating a matrix of the first and secondorderings of masks, the matrix progressively identifying numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs; and traversing the matrix toidentify a sequence of masks corresponding to a single ordering of masksincluding masks required for the first ACL and the second ACL, whereinthe single ordering of masks maintains the first ordering and secondorderings of masks with one or more masks corresponding to a differentACL or other feature in between one or more consecutive masks of thefirst and second ACLs.
 17. The method of claim 16, wherein a lastposition identified by a last column and last row of the matrixidentifies the number of different masks required for the singleordering of masks.
 18. The method of claim 16, wherein the matrix istraversed based on said numbers of different masks required for subsetorderings of masks required for subsets of the first and second ACLs.19. The method of claim 16, wherein said generating the matrix includesmaintaining indications from where said numbers of different masksrequired for subset orderings of masks required for subsets of the firstand second ACLs are generated; and wherein the matrix is traversed basedon said indications from where said numbers of different masks requiredfor subset orderings of masks required for subsets of the first andsecond ACLs are generated.
 20. The method of claim 16, comprisingpopulating a plurality of block masks of an associative memory with saidmasks required for the first and second ACLs such that the singleordering of masks is produced in the associative memory.
 21. Anapparatus comprising one or more processors and a memory, wherein thememory stores one or more instructions that, when executed by the one ormore processors, perform steps for identifying a combined ordering ofmasks corresponding to a first access control list (ACL) and a secondACL, said steps comprising: identifying a first ordering of masksrequired for the first ACL; identifying a second ordering of masksrequired the second ACL; generating a matrix of the first and secondorderings of masks, the matrix progressively identifying numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs; and traversing the matrix toidentify a sequence of masks corresponding to a single ordering of masksincluding masks required for the first ACL and the second ACL, whereinthe single ordering of masks maintains the first ordering and secondorderings of masks with one or more masks corresponding to a differentACL or other feature in between one or more consecutive masks of thefirst and second ACLs.
 22. The apparatus of claim 21, wherein a lastposition identified by a last column and last row of the matrixidentifies the number of different masks required for the singleordering of masks.
 23. The apparatus of claim 21, wherein the matrix istraversed based on said numbers of different masks required for subsetorderings of masks required for subsets of the first and second ACLs.24. The apparatus of claim 21, wherein said generating the matrixincludes maintaining indications from where said numbers of differentmasks required for subset orderings of masks required for subsets of thefirst and second ACLs are generated; and wherein the matrix is traversedbased on said indications from where said numbers of different masksrequired for subset orderings of masks required for subsets of the firstand second ACLs are generated.
 25. The apparatus of claim 21, whereinsaid steps comprise populating a plurality of block masks of anassociative memory with said masks required for the first and secondACLs such that the single ordering of masks is produced in theassociative memory.
 26. An apparatus for identifying a combined orderingof masks corresponding to a first access control list (ACL) and a secondACL, the method comprising: means for generating a matrix with a firstaxis corresponding to a first ordering of masks required for the firstACL and a second axis corresponding to a second ordering of masksrequired the second ACL, the matrix progressively identifying numbers ofdifferent masks required for subset orderings of masks required forsubsets of the first and second ACLs; and means for traversing thematrix to identify a sequence of masks corresponding to a singleordering of masks including masks required for the first ACL and thesecond ACL, wherein the single ordering of masks maintains the firstordering and second orderings of masks with one or more maskscorresponding to a different ACL or other feature in between one or moreconsecutive masks of the first and second ACLs.
 27. The apparatus ofclaim 26, wherein a last position identified by a last column and lastrow of the matrix identifies the number of different masks required forthe single ordering of masks.
 28. The apparatus of claim 26, whereinsaid means for traversing the matrix includes means for traversing thematrix based on said numbers of different masks required for subsetorderings of masks required for subsets of the first and second ACLs.29. The apparatus of claim 26, wherein said means for generating thematrix includes means for maintaining indications from where saidnumbers of different masks required for subset orderings of masksrequired for subsets of the first and second ACLs are generated; andwherein said means for traversing the matrix includes means fortraversing the matrix based on said indications from where said numbersof different masks required for subset orderings of masks required forsubsets of the first and second ACLs are generated.
 30. The apparatus ofclaim 26, comprising means for populating a plurality of block masks ofan associative memory with said masks required for the first and secondACLs such that the single ordering of masks is produced in theassociative memory.